The AVM Final Rule Is in Effect. Here's What Your Institution Needs Now.

The rule is no longer coming. It's here.

On July 17, 2024, six federal agencies — the OCC, Federal Reserve, FDIC, NCUA, CFPB, and FHFA — issued the final rule implementing quality control standards for automated valuation models under FIRREA § 1125. The rule was published in the Federal Register on August 7, 2024, and took effect on October 1, 2025.

If your institution uses AVMs in connection with making credit decisions for mortgage lending — whether for origination, refinancing, or home equity lines of credit — the rule applies to you. If your institution uses AVMs in covered securitization determinations, the rule applies to you. And if you're using AVMs through a third party or affiliate, the rule still applies — to you.

The question is no longer whether your institution needs quality control standards for AVMs. The question is whether you can demonstrate them.

What the rule actually requires

The final rule is intentionally non-prescriptive. It does not mandate specific thresholds, specific vendors, or specific software. Instead, it requires institutions to adopt policies, practices, procedures, and control systems that ensure AVMs adhere to five quality control standards. The agencies expect institutions to calibrate their controls based on their size and the risk and complexity of the transactions involved.

This flexibility is both an opportunity and a challenge. It means the rule accommodates everything from a community credit union processing a handful of AVMs per month to a national bank governing thousands of valuations per day. But it also means there is no checklist to follow. Your institution needs to build — or adopt — a system that operationalizes these standards in a way that is documented, consistent, and demonstrable.

The five quality control standards

The rule establishes five standards. Each one addresses a distinct dimension of AVM quality control.

1. Ensure a high level of confidence in the estimates produced

This is the threshold question: is this AVM's confidence score high enough for your institution to rely on it? The challenge is that every vendor reports confidence differently. CoreLogic uses a percentage. ICE Mortgage Technology uses Forecast Standard Deviation. Freddie Mac uses letter grades. Zillow uses qualitative terms like “High” and “Medium.”

Without standardization, your institution is comparing apples to oranges. The MISMO Common Confidence Score standard provides a common 0-100 scale, but implementing it requires vendor-specific normalization logic, documented conversion methodologies, and honest attribution of how each score was derived.

2. Protect against the manipulation of data

Data integrity means more than storing records in a database. It means being able to prove that the data seen by the policy check is the same data that was originally submitted — that nothing was modified, deleted, or inserted between intake and evaluation.

Traditional audit logs provide a record of what happened, but they are append-only by convention, not by construction. A cryptographic hash chain — where each event's hash incorporates the previous event's hash — provides a mathematically verifiable guarantee: modify any historical event, and every subsequent hash becomes invalid.

3. Seek to avoid conflicts of interest

The third standard addresses the independence of the valuation process. Institutions need to detect and document when AVM vendors have relationships with originators, servicers, or other parties to the transaction. This requires a systematic approach — a watchlist, matching rules, and documented decisions about what constitutes a conflict and how it should be handled.

4. Require random sample testing and reviews

Quality control requires verification, and verification requires sampling. The fourth standard asks institutions to randomly sample AVM decisions for independent review. The key word is “random” — the selection must be unbiased and the process must be documented in a way that an examiner can verify the selection was not manipulated.

Beyond the selection itself, institutions need to track sampling breadth: are all loan types, geographies, vendors, and time periods represented in the samples? A QC program that only samples conventional loans from one vendor leaves significant gaps in coverage.

5. Comply with applicable nondiscrimination laws

The fifth standard — added by the agencies using their discretionary authority under FIRREA — requires institutions to consider how AVM outcomes interact with fair lending obligations. This is not a passive requirement. It contemplates active monitoring: are AVM confidence scores, pass rates, or estimated values systematically different across demographic classifications?

Most institutions address nondiscrimination with periodic consultant studies that cost tens of thousands of dollars and take weeks to produce. The rule contemplates something more continuous — ongoing analysis integrated into the operational workflow, not a one-time snapshot.

What examiners will look for

The rule requires policies, practices, procedures, and control systems. Examiners will evaluate all four:

• Policies: Has the institution adopted written policies for AVM quality control? Do they address all five standards?
• Practices: Are those policies reflected in day-to-day operations? Are they consistently applied?
• Procedures: Are there documented steps for AVM intake, evaluation, and exception handling?
• Control systems: Is there technical infrastructure that enforces the policies? Can the institution demonstrate that the controls are operational?

The critical question is the last one: “Show me your control system.” Policies on paper are necessary but not sufficient. An examiner will want to see that the institution has operational controls that are documented, active, and demonstrable — not a binder on a shelf.

The gap between policy and proof

Many institutions have responded to the AVM Final Rule by drafting policies. Some have updated their compliance manuals. Some have added AVM review steps to their origination checklists. These are good starts, but they leave a gap: how do you prove the policies were followed?

If your compliance depends on manual processes — an analyst checking a spreadsheet, a reviewer signing off on a form, a manager approving an exception verbally — then your evidence is only as strong as your documentation discipline. And documentation discipline, in any organization, degrades over time under operational pressure.

The alternative is a system where compliance is not a manual overlay on existing processes, but the process itself. Where every AVM decision flows through a control layer that enforces policies automatically, records every step cryptographically, and produces verifiable evidence that the process was followed — for every loan, every time, without relying on human discipline to maintain the record.

What a compliant control system looks like

A control system that satisfies the AVM Final Rule should, at minimum:

• Normalize AVM confidence scores to a common standard so that thresholds are meaningful across vendors
• Enforce institution-specific confidence thresholds automatically at intake, with configurable strictness per loan type and property type
• Maintain a tamper-evident record of every AVM decision, from document intake through policy check to final disposition
• Check for conflicts of interest systematically at every intake point, not just when someone remembers to look
• Select random samples for QC review using a verifiable process that an examiner can confirm was unbiased
• Tag every loan with applicable nondiscrimination laws and monitor AVM outcomes across demographic classifications continuously
• Produce compliance evidence that is exportable, verifiable, and independent of the platform that generated it

This is not a feature list for a software product. This is a description of the operational infrastructure the rule contemplates. Whether you build it internally or adopt a purpose-built platform, the requirement is the same: documented, operational, demonstrable controls across all five quality control standards.

The cost of waiting

The AVM Final Rule took effect on October 1, 2025. Every AVM your institution processes without documented quality control standards is an uncontrolled risk — not a future risk, a present one. The question an examiner will ask is not “are you planning to comply?” but “can you show me your controls for the loans you've already originated?”

The institutions that move now will have compliance evidence building from day one. The institutions that wait will have a gap in their record — a period where AVMs were used in covered transactions without documented quality control standards in place. That gap gets harder to explain the longer it persists.